Project

General

Profile

Bug #2736

DNS Golden Transaction ID - detection bypass

Added by Alexey Vishnyakov 10 months ago. Updated 10 months ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello, team!

I've found an interesting problem in DNS protocol related to Transaction ID header field

I made a signature:

alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, DDNS"; \
content:"|04|ddns|03|net|00|"; \
classtype:trojan-activity; \
sid:1; rev:1;)

Please, find a pcap dump in attached archive: 23_6594.pcap
It contains only one packet extracted from a public sandbox.
A signature doesn't match!

I investigated this case a bit and found that for a specific range of Transaction ID values (0x6000, 0x6001, ..., 0x6010, ... 0x6594, 0x6595 and maybe more) detection still absent.
But if we choose something like 0x5FFF as example - detection will be.

I tried some another domain (as example, which is longer on 1 symbol) - and for previous Transaction ID values detection appears.
So, seems that some kind of Transaction ID influence happened.
I made a following game:

  • I've generated 65536 different pcaps for a domain in 23_6594.pcap with all possible Transaction ID values * I've scanned them all... and found one more magic Transaction ID value: 0x0400. More than that:
    - pcap with Transaction ID = 0x03FF - detected (23_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (23_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (23_0401.pcap) * Then I've reduced an original domain length, generated 65535 pcaps, scanned them... and found the same magic ID: 0x0400. And:
    - pcap with Transaction ID = 0x03FF - detected (22_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (22_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (22_0401.pcap) * Then I've increased an original domain length, again generated 65535 pcaps, again scanned them... and again :) found the same magic ID: 0x0400. And:
    - pcap with Transaction ID = 0x03FF - detected (24_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (24_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (24_0401.pcap)

Finally I just made the nslookup of "suricata-ids.org" domain (suricata.original.pcap). Fortunately, the Transaction ID was small and I reproduced a detection with following rule:

alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, suricata"; \
content:"suricata"; \
classtype:trojan-activity; \
sid:2; rev:1;)

Than I changed the Transaction ID to 0x4000 - no detection (suricata.0400.pcap)
I changed it to 0x4001 - detection appears again (suricata.0401.pcap)

I've tested the 0x4000 magic Transaction ID with different domains (DGA - situation is the same)
Seems that we have a reliable approach to perform an information transport via the DNS tunneling without detection in DNS protocol

Could you confirm that?

Thank you
Sincerely yours, Alexey Vishnyakov


Files

dns.zip (3.36 KB) dns.zip Alexey Vishnyakov, 12/11/2018 03:29 PM

Related issues

Copied to Bug #2827: DNS Golden Transaction ID - detection bypass (4.0.x)ClosedActions

History

#1

Updated by Alexey Vishnyakov 10 months ago

#2

Updated by Victor Julien 10 months ago

  • Assignee set to Victor Julien

Both are known weaknesses in protocol detection. The magic 0x4000 triggers the dcerpc protocol detection, so Suricata then considers it dcerpc. This really requires a rewrite/upgrade of the protocol detection engine. This is something we hope to do for 5.0. I'll see if I can create some hack to fix this specific issue.

The 6594 pcap triggers the teredo detection. We've had issues with this before. I'm trying to see if I can make the teredo probing stricter.

#3

Updated by Victor Julien 10 months ago

  • Status changed from New to Assigned
  • Target version set to 4.1.2
#4

Updated by Victor Julien 10 months ago

  • Status changed from Assigned to Closed
#5

Updated by Victor Julien 8 months ago

  • Copied to Bug #2827: DNS Golden Transaction ID - detection bypass (4.0.x) added

Also available in: Atom PDF